Insight Agent

This page has information about using the Insight Agent in InsightIDR including the following:

  • Using the Endpoint Monitor as an alternative to the Insight Agent.
  • Event codes monitored by the Insight Agent and the Endpoint Monitor in InsightIDR.
  • Alerts that can fire from the data contributed by the Insight Agent and the Endpoint Monitor in InsightIDR.

Insight Agent Installation and Deployment Help has been moved!

See our Insight Agent Help pages for complete agent installation and deployment documentation for all your Insight products.

Endpoint Monitor

If you do not want to use the Insight Agent, you can use the Endpoint Monitor instead. The Endpoint Monitor, or Scan Mode, is exclusive to InsightIDR and can run an “agentless scan” that deploys along the Collector instead of through installed software.

Please note the following about the Endpoint Monitor:

  • Rapid7 recommends using the Insight Agent over the Endpoint Monitor because the Insight Agent collects real-time data, is capable of more detections, and allows you to use the Scheduled Forsensics feature. See the Insight Agent documentation for Insight Agent deployment instructions.
  • If you are a Managed Detection and Response (MDR) customer, you cannot use the Endpoint Monitor. You must install the Insight Agent on at least 80% of your endpoints. Please note that Rapid7 recommends that MDR customers install the Insight Agent on every endpoint possible, and not just 80% of the endpoints. However, the Insight Agent is required to be installed on at least 80% of the endpoints for Full Service monitoring.
  • The Endpoint Monitor only works on Windows assets.

See the Endpoint Monitor documentation for more information.

Monitored Event Codes

By default, the Endpoint Monitor and the Insight Agent monitor the following event codes. Every event code listed contributes to built-in alerting in InsightIDR but may not appear in Log Search.

Log Origin





1102, 4624, 4625, 4648, 4720

Security logs when running on a Domain Controller*

1102, 4624, 4625, 4648, 4704, 4720, 4722, 4724, 4725, 4728, 4732, 4738, 4740, 4741, 4756, 4767, 4768, 4769

Windows Defender Antivirus

1001, 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1015, 1116, 1117, 1118, 1119, 1120, 1150, 1151, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2010, 2011, 2012, 2013, 2020, 2021, 2030, 2031, 2040, 2041, 2042, 3002, 3007, 5000, 5001, 5004, 5007, 5008, 5009, 5010, 5011, 5012, 5100, 5101

You must opt in to collect Security Event Logs from the Domain Controller

To opt in, navigate to Settings > Insight Agent, select the Domain Controller Events tab, and switch the toggle ON. Once you've switched the toggle ON, if the Insight Agent is installed on a Domain Controller, the additional Security events will be collected. This is an optional alternative to using an Active Directory event source for each Domain Controller.

User Behavior Alert Contribution

The data provided by the Insight Agent and the Endpoint Monitor contributes to the following alerts:

  • brute force - asset
  • brute force - local account
  • detection evasion - event log deletion
  • detection evasion - local event log deletion
  • endpoint threat intelligence match
  • exploit mitigated
  • flagged hash on asset
  • flagged process on asset
  • honey file accessed
  • kerberos privilege elevation exploit
  • lateral movement - local administrator impersonation
  • lateral movement - local credentials
  • local honey credential privilege escalation attempt
  • malicious hash on asset
  • new local user account created
  • protocol poisoning detected
  • remote file execution detected